smbd: Fix following symlinks if basedir != cwd_fsp
[samba4-gss.git] / source4 / setup / provision_users.ldif
blobefdf756f9c25a5438b4dae59c0adfc48718ba51d
1 # Add default primary groups (domain users, domain guests, domain computers &
2 # domain controllers) - needed for the users to find valid primary groups
3 # (samldb module)
5 dn: CN=Domain Users,CN=Users,${DOMAINDN}
6 objectClass: top
7 objectClass: group
8 description: All domain users
9 objectSid: ${DOMAINSID}-513
10 sAMAccountName: Domain Users
11 isCriticalSystemObject: TRUE
13 dn: CN=Domain Guests,CN=Users,${DOMAINDN}
14 objectClass: top
15 objectClass: group
16 description: All domain guests
17 objectSid: ${DOMAINSID}-514
18 sAMAccountName: Domain Guests
19 isCriticalSystemObject: TRUE
21 dn: CN=Domain Computers,CN=Users,${DOMAINDN}
22 objectClass: top
23 objectClass: group
24 description: All workstations and servers joined to the domain
25 objectSid: ${DOMAINSID}-515
26 sAMAccountName: Domain Computers
27 isCriticalSystemObject: TRUE
29 dn: CN=Domain Controllers,CN=Users,${DOMAINDN}
30 objectClass: top
31 objectClass: group
32 description: All domain controllers in the domain
33 objectSid: ${DOMAINSID}-516
34 adminCount: 1
35 sAMAccountName: Domain Controllers
36 isCriticalSystemObject: TRUE
38 # Add users
40 dn: CN=Administrator,CN=Users,${DOMAINDN}
41 objectClass: user
42 description: Built-in account for administering the computer/domain
43 userAccountControl: 512
44 objectSid: ${DOMAINSID}-500
45 adminCount: 1
46 accountExpires: 9223372036854775807
47 sAMAccountName: Administrator
48 clearTextPassword:: ${ADMINPASS_B64}
49 isCriticalSystemObject: TRUE
51 dn: CN=Guest,CN=Users,${DOMAINDN}
52 objectClass: user
53 description: Built-in account for guest access to the computer/domain
54 userAccountControl: 66082
55 primaryGroupID: 514
56 objectSid: ${DOMAINSID}-501
57 sAMAccountName: Guest
58 isCriticalSystemObject: TRUE
60 dn: CN=krbtgt,CN=Users,${DOMAINDN}
61 objectClass: top
62 objectClass: person
63 objectClass: organizationalPerson
64 objectClass: user
65 description: Key Distribution Center Service Account
66 showInAdvancedViewOnly: TRUE
67 userAccountControl: 514
68 objectSid: ${DOMAINSID}-502
69 adminCount: 1
70 accountExpires: 9223372036854775807
71 sAMAccountName: krbtgt
72 servicePrincipalName: kadmin/changepw
73 clearTextPassword:: ${KRBTGTPASS_B64}
74 isCriticalSystemObject: TRUE
76 # Add other groups
78 dn: CN=Enterprise Read-only Domain Controllers,CN=Users,${DOMAINDN}
79 objectClass: top
80 objectClass: group
81 description: Members of this group are Read-Only Domain Controllers in the enterprise
82 objectSid: ${DOMAINSID}-498
83 sAMAccountName: Enterprise Read-only Domain Controllers
84 groupType: -2147483640
85 isCriticalSystemObject: TRUE
87 dn: CN=Domain Admins,CN=Users,${DOMAINDN}
88 objectClass: top
89 objectClass: group
90 description: Designated administrators of the domain
91 member: CN=Administrator,CN=Users,${DOMAINDN}
92 objectSid: ${DOMAINSID}-512
93 adminCount: 1
94 sAMAccountName: Domain Admins
95 isCriticalSystemObject: TRUE
97 dn: CN=Cert Publishers,CN=Users,${DOMAINDN}
98 objectClass: top
99 objectClass: group
100 description: Members of this group are permitted to publish certificates to the directory
101 objectSid: ${DOMAINSID}-517
102 sAMAccountName: Cert Publishers
103 groupType: -2147483644
104 isCriticalSystemObject: TRUE
106 dn: CN=Schema Admins,CN=Users,${DOMAINDN}
107 objectClass: top
108 objectClass: group
109 description: Designated administrators of the schema
110 member: CN=Administrator,CN=Users,${DOMAINDN}
111 objectSid: ${DOMAINSID}-518
112 adminCount: 1
113 sAMAccountName: Schema Admins
114 groupType: -2147483640
115 isCriticalSystemObject: TRUE
117 dn: CN=Enterprise Admins,CN=Users,${DOMAINDN}
118 objectClass: top
119 objectClass: group
120 description: Designated administrators of the enterprise
121 member: CN=Administrator,CN=Users,${DOMAINDN}
122 objectSid: ${DOMAINSID}-519
123 adminCount: 1
124 sAMAccountName: Enterprise Admins
125 groupType: -2147483640
126 isCriticalSystemObject: TRUE
128 dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
129 objectClass: top
130 objectClass: group
131 description: Members in this group can modify group policy for the domain
132 member: CN=Administrator,CN=Users,${DOMAINDN}
133 objectSid: ${DOMAINSID}-520
134 sAMAccountName: Group Policy Creator Owners
135 isCriticalSystemObject: TRUE
137 dn: CN=Read-only Domain Controllers,CN=Users,${DOMAINDN}
138 objectClass: top
139 objectClass: group
140 description: Members of this group are Read-Only Domain Controllers in the domain
141 objectSid: ${DOMAINSID}-521
142 adminCount: 1
143 sAMAccountName: Read-only Domain Controllers
144 isCriticalSystemObject: TRUE
146 dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN}
147 objectClass: top
148 objectClass: group
149 description: Servers in this group can access remote access properties of users
150 objectSid: ${DOMAINSID}-553
151 sAMAccountName: RAS and IAS Servers
152 groupType: -2147483644
153 isCriticalSystemObject: TRUE
155 dn: CN=Allowed RODC Password Replication Group,CN=Users,${DOMAINDN}
156 objectClass: top
157 objectClass: group
158 description: Members in this group can have their passwords replicated to all read-only domain controllers in the domain
159 objectSid: ${DOMAINSID}-571
160 sAMAccountName: Allowed RODC Password Replication Group
161 groupType: -2147483644
162 isCriticalSystemObject: TRUE
164 dn: CN=Denied RODC Password Replication Group,CN=Users,${DOMAINDN}
165 objectClass: top
166 objectClass: group
167 description: Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
168 member: CN=Read-only Domain Controllers,CN=Users,${DOMAINDN}
169 member: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
170 member: CN=Domain Admins,CN=Users,${DOMAINDN}
171 member: CN=Cert Publishers,CN=Users,${DOMAINDN}
172 member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
173 member: CN=Schema Admins,CN=Users,${DOMAINDN}
174 member: CN=Domain Controllers,CN=Users,${DOMAINDN}
175 member: CN=krbtgt,CN=Users,${DOMAINDN}
176 objectSid: ${DOMAINSID}-572
177 sAMAccountName: Denied RODC Password Replication Group
178 groupType: -2147483644
179 isCriticalSystemObject: TRUE
181 dn: CN=Protected Users,CN=Users,${DOMAINDN}
182 objectClass: top
183 objectClass: group
184 description: Members of this group are afforded additional protections against authentication security threats
185 objectSid: ${DOMAINSID}-525
186 sAMAccountName: Protected Users
187 groupType: -2147483646
188 isCriticalSystemObject: TRUE
190 # NOTICE: Some other users and groups which rely on automatic SIDs are located
191 # in "provision_self_join_modify.ldif"
193 # Add foreign security principals
195 dn: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
196 objectClass: top
197 objectClass: foreignSecurityPrincipal
198 objectSid: S-1-5-4
200 dn: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
201 objectClass: top
202 objectClass: foreignSecurityPrincipal
203 objectSid: S-1-5-9
205 dn: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
206 objectClass: top
207 objectClass: foreignSecurityPrincipal
208 objectSid: S-1-5-11
210 dn: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN}
211 objectClass: top
212 objectClass: foreignSecurityPrincipal
213 objectSid: S-1-5-17
215 # Add builtin objects
217 dn: CN=Administrators,CN=Builtin,${DOMAINDN}
218 objectClass: top
219 objectClass: group
220 description: Administrators have complete and unrestricted access to the computer/domain
221 member: CN=Domain Admins,CN=Users,${DOMAINDN}
222 member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
223 member: CN=Administrator,CN=Users,${DOMAINDN}
224 objectSid: S-1-5-32-544
225 adminCount: 1
226 sAMAccountName: Administrators
227 systemFlags: -1946157056
228 groupType: -2147483643
229 isCriticalSystemObject: TRUE
231 dn: CN=Users,CN=Builtin,${DOMAINDN}
232 objectClass: top
233 objectClass: group
234 description: Users are prevented from making accidental or intentional system-wide changes and can run most applications
235 member: CN=Domain Users,CN=Users,${DOMAINDN}
236 member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
237 member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
238 objectSid: S-1-5-32-545
239 sAMAccountName: Users
240 systemFlags: -1946157056
241 groupType: -2147483643
242 isCriticalSystemObject: TRUE
244 dn: CN=Guests,CN=Builtin,${DOMAINDN}
245 objectClass: top
246 objectClass: group
247 description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
248 member: CN=Domain Guests,CN=Users,${DOMAINDN}
249 member: CN=Guest,CN=Users,${DOMAINDN}
250 objectSid: S-1-5-32-546
251 sAMAccountName: Guests
252 systemFlags: -1946157056
253 groupType: -2147483643
254 isCriticalSystemObject: TRUE
256 dn: CN=Account Operators,CN=Builtin,${DOMAINDN}
257 objectClass: top
258 objectClass: group
259 description: Members can administer domain user and group accounts
260 objectSid: S-1-5-32-548
261 adminCount: 1
262 sAMAccountName: Account Operators
263 systemFlags: -1946157056
264 groupType: -2147483643
265 isCriticalSystemObject: TRUE
267 dn: CN=Server Operators,CN=Builtin,${DOMAINDN}
268 objectClass: top
269 objectClass: group
270 description: Members can administer domain servers
271 objectSid: S-1-5-32-549
272 adminCount: 1
273 sAMAccountName: Server Operators
274 systemFlags: -1946157056
275 groupType: -2147483643
276 isCriticalSystemObject: TRUE
278 dn: CN=Print Operators,CN=Builtin,${DOMAINDN}
279 objectClass: top
280 objectClass: group
281 description: Members can administer domain printers
282 objectSid: S-1-5-32-550
283 adminCount: 1
284 sAMAccountName: Print Operators
285 systemFlags: -1946157056
286 groupType: -2147483643
287 isCriticalSystemObject: TRUE
289 dn: CN=Backup Operators,CN=Builtin,${DOMAINDN}
290 objectClass: top
291 objectClass: group
292 description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
293 objectSid: S-1-5-32-551
294 adminCount: 1
295 sAMAccountName: Backup Operators
296 systemFlags: -1946157056
297 groupType: -2147483643
298 isCriticalSystemObject: TRUE
300 dn: CN=Replicator,CN=Builtin,${DOMAINDN}
301 objectClass: top
302 objectClass: group
303 description: Supports file replication in a domain
304 objectSid: S-1-5-32-552
305 adminCount: 1
306 sAMAccountName: Replicator
307 systemFlags: -1946157056
308 groupType: -2147483643
309 isCriticalSystemObject: TRUE
311 dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN}
312 objectClass: top
313 objectClass: group
314 description: A backward compatibility group which allows read access on all users and groups in the domain
315 member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
316 objectSid: S-1-5-32-554
317 sAMAccountName: Pre-Windows 2000 Compatible Access
318 systemFlags: -1946157056
319 groupType: -2147483643
320 isCriticalSystemObject: TRUE
322 dn: CN=Remote Desktop Users,CN=Builtin,${DOMAINDN}
323 objectClass: top
324 objectClass: group
325 description: Members in this group are granted the right to logon remotely
326 objectSid: S-1-5-32-555
327 sAMAccountName: Remote Desktop Users
328 systemFlags: -1946157056
329 groupType: -2147483643
330 isCriticalSystemObject: TRUE
332 dn: CN=Network Configuration Operators,CN=Builtin,${DOMAINDN}
333 objectClass: top
334 objectClass: group
335 description: Members in this group can have some administrative privileges to manage configuration of networking features
336 objectSid: S-1-5-32-556
337 sAMAccountName: Network Configuration Operators
338 systemFlags: -1946157056
339 groupType: -2147483643
340 isCriticalSystemObject: TRUE
342 dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN}
343 objectClass: top
344 objectClass: group
345 description: Members of this group can create incoming, one-way trusts to this forest
346 objectSid: S-1-5-32-557
347 sAMAccountName: Incoming Forest Trust Builders
348 systemFlags: -1946157056
349 groupType: -2147483643
350 isCriticalSystemObject: TRUE
352 dn: CN=Performance Monitor Users,CN=Builtin,${DOMAINDN}
353 objectClass: top
354 objectClass: group
355 description: Members of this group can access performance counter data locally and remotely
356 objectSid: S-1-5-32-558
357 sAMAccountName: Performance Monitor Users
358 systemFlags: -1946157056
359 groupType: -2147483643
360 isCriticalSystemObject: TRUE
362 dn: CN=Performance Log Users,CN=Builtin,${DOMAINDN}
363 objectClass: top
364 objectClass: group
365 description: Members of this group may schedule logging of performance counters, enable trace providers, and collect event traces both locally and via remote access to this computer
366 objectSid: S-1-5-32-559
367 sAMAccountName: Performance Log Users
368 systemFlags: -1946157056
369 groupType: -2147483643
370 isCriticalSystemObject: TRUE
372 dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN}
373 objectClass: top
374 objectClass: group
375 description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
376 member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
377 objectSid: S-1-5-32-560
378 sAMAccountName: Windows Authorization Access Group
379 systemFlags: -1946157056
380 groupType: -2147483643
381 isCriticalSystemObject: TRUE
383 dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN}
384 objectClass: top
385 objectClass: group
386 description: Members of this group can update user accounts in Active Directory with information about license issuance, for the purpose of tracking and reporting TS Per User CAL usage
387 objectSid: S-1-5-32-561
388 sAMAccountName: Terminal Server License Servers
389 systemFlags: -1946157056
390 groupType: -2147483643
391 isCriticalSystemObject: TRUE
393 dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN}
394 objectClass: top
395 objectClass: group
396 description: Members are allowed to launch, activate and use Distributed COM objects on this machine.
397 objectSid: S-1-5-32-562
398 sAMAccountName: Distributed COM Users
399 systemFlags: -1946157056
400 groupType: -2147483643
401 isCriticalSystemObject: TRUE
403 dn: CN=IIS_IUSRS,CN=Builtin,${DOMAINDN}
404 objectClass: top
405 objectClass: group
406 description: Built-in group used by Internet Information Services.
407 member: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN}
408 objectSid: S-1-5-32-568
409 sAMAccountName: IIS_IUSRS
410 systemFlags: -1946157056
411 groupType: -2147483643
412 isCriticalSystemObject: TRUE
414 dn: CN=Cryptographic Operators,CN=Builtin,${DOMAINDN}
415 objectClass: top
416 objectClass: group
417 description: Members are authorized to perform cryptographic operations.
418 objectSid: S-1-5-32-569
419 sAMAccountName: Cryptographic Operators
420 systemFlags: -1946157056
421 groupType: -2147483643
422 isCriticalSystemObject: TRUE
424 dn: CN=Event Log Readers,CN=Builtin,${DOMAINDN}
425 objectClass: top
426 objectClass: group
427 description: Members of this group can read event logs from local machine
428 objectSid: S-1-5-32-573
429 sAMAccountName: Event Log Readers
430 systemFlags: -1946157056
431 groupType: -2147483643
432 isCriticalSystemObject: TRUE
434 dn: CN=Certificate Service DCOM Access,CN=Builtin,${DOMAINDN}
435 objectClass: top
436 objectClass: group
437 description: Members of this group are allowed to connect to Certification Authorities in the enterprise
438 objectSid: S-1-5-32-574
439 sAMAccountName: Certificate Service DCOM Access
440 systemFlags: -1946157056
441 groupType: -2147483643
442 isCriticalSystemObject: TRUE